Capture the Flag (CTF) is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. Every team gets an identical virtual machine image. The VM has a set of custom written services that are known to be vulnerable. The teams work to secure their image while simultaneously exploiting services on the machines of other teams. A scoring server monitors the match as it progresses and awards points to teams for keeping their services up and also for stealing data from their competitors.
The Chaos Communication Congress in Berlin December 27-30, 2008 will host a CTF competition. Most CTF matches are done head to head in the same room. While 25C3 will have local teams, it will also be wide open for international teams to compete remotely. Remote teams will host their own images on a VPN with the other competitors. Now is a good time to register and familiarize yourself with the scoring system. It will certainly be interesting to see how this competition plays out now that teams that can’t make the trip can still compete.
Most times the nodes just have generic vulnerabilities; they actually forbid you to run good memory protection and IDS solutions; unless they’ve changed the rules.
The real challenge is providing enough allowed process protection while finding the other teams vulnerabilities. It’s not easy by no means, but most of the teams use fuzzers for most of the work load.
I’ve never seen any real in depth black box pen testing done at the cc one or the defcon one. It’s probably because of lack of time I guess.
well, the ctf events in the past congresses have been somewhat entertaining. if u think u can watch over the hackers shoulders, u are wrong. u just sit behind the lines and eat n drink and act quiet.
hang on, b4 u flame me, im just saying id like to see a projector or something just to follow the action. i know very well that u dont want any cheering at a ctf and that a ctf is not for entertainment.
its just me who would like to learn from the best.
my 2 cents
They are not much of a spectator sport. And afterwards, the teams dont seem to like to talk about what they were doing, and what worked and what did not.
@yarr&nimrod: It’s the same deal with demoscene and crackers. Go look for demo sources or modern VM based unpacker sources. It’s the foundation for a social order, and all you can do is try to become better and make the others seem incompetent.
its just not that interesting to watch. most of the hackers are also busy, and a parade of people shoulder surfing always ends the same “omg, whats he doing there?”
reverse engineering takes a lot of focus and is mentally draining. getting good at these sorts of things isnt something you do by watching. go curl up with a good book (might i recommend the intel manuals?) and a disassembler.
good luck to anybody here who enters the competition.